MFA Reset Policy

A committer may need to reset their ASF multi-factor authentication (MFA) if they lose access to their MFA devices or believe their MFA has been compromised.

There are two paths to recovery if you have lost your MFA token(s):

Self-service with a recovery code established during initial MFA setup.

Visit https://mfa.apache.org and use a recovery token by clicking "Select another authentication method."

Identity validation by Infra.

Have someone from your PMC or Department open an Infra Jira ticket, or email security@infra.apache.org. Infra will validate your identity against factors that you previously registered with the ASF.

To keep this process low-friction, we strongly encourage committers to register multiple factors in advance:

Save the recovery codes provided during MFA setup.
Upload a valid GPG public key to id.apache.org.
Link their ASF and GitHub accounts via Boxer.

If a committer cannot establish their identity through any of their registered factors or through any other Infra-established process, the affected account will be disabled, and the committer will need to work with their project to be onboarded again through the new-committer process.

More committer-specific details related to the reset procedure are maintained on the ASF Infra Cwiki. (Committer authentication required.)

Copyright 2026, The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache® and the Apache logo are trademarks of The Apache Software Foundation.